git: 444a77ca85c7 - main - pf: expose syncookie active/inactive status

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 31 Oct 2022 17:14:27 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=444a77ca85c78d02c19622a83a2798d0c5c2117b

commit 444a77ca85c78d02c19622a83a2798d0c5c2117b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-09-24 12:47:17 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-10-31 17:14:09 +0000

    pf: expose syncookie active/inactive status
    
    When syncookies are in adaptive mode they may be active or inactive.
    Expose this status to users.
    
    Suggested by:   Guido van Rooij
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 lib/libpfctl/libpfctl.c   | 1 +
 lib/libpfctl/libpfctl.h   | 1 +
 sbin/pfctl/pfctl_parser.c | 2 ++
 sys/netpfil/pf/pf_ioctl.c | 2 ++
 4 files changed, 6 insertions(+)

diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 5b93fd1043d6..451567402470 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -224,6 +224,7 @@ pfctl_get_status(int dev)
 	status->hostid = ntohl(nvlist_get_number(nvl, "hostid"));
 	status->states = nvlist_get_number(nvl, "states");
 	status->src_nodes = nvlist_get_number(nvl, "src_nodes");
+	status->syncookies_active = nvlist_get_bool(nvl, "syncookies_active");
 
 	strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"),
 	    IFNAMSIZ);
diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
index faccabd227a3..933a3927ac26 100644
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@@ -57,6 +57,7 @@ struct pfctl_status {
 	uint64_t	src_nodes;
 	char		ifname[IFNAMSIZ];
 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
+	bool		syncookies_active;
 
 	struct pfctl_status_counters	 counters;
 	struct pfctl_status_counters	 lcounters;
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 260c754f7209..1ad895bede05 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -622,6 +622,8 @@ print_status(struct pfctl_status *s, struct pfctl_syncookies *cookies, int opts)
 		assert(cookies->mode <= PFCTL_SYNCOOKIES_ADAPTIVE);
 		printf("  %-25s %s\n", "mode",
 		    PFCTL_SYNCOOKIES_MODE_NAMES[cookies->mode]);
+		printf("  %-25s %s\n", "active",
+		    s->syncookies_active ? "active" : "inactive");
 	}
 }
 
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 3ce74963a1e9..c1a098ff887f 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -5816,6 +5816,8 @@ pf_getstatus(struct pfioc_nv *nv)
 	nvlist_add_number(nvl, "hostid", V_pf_status.hostid);
 	nvlist_add_number(nvl, "states", V_pf_status.states);
 	nvlist_add_number(nvl, "src_nodes", V_pf_status.src_nodes);
+	nvlist_add_bool(nvl, "syncookies_active",
+	    V_pf_status.syncookies_active);
 
 	/* counters */
 	error = pf_add_status_counters(nvl, "counters", V_pf_status.counters,